Allow importing JWK ECDH private keys with "deriveKey" and "deriveBits" usage.

Previously, this would fail unless the "use" field was omitted. Bug: 641499 Change-Id: Iedfbc6e9ead9a5b1355e0611af8a4f0101b2cba8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2457968 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#814890}

Allow importing JWK ECDH private keys with "deriveKey" and "deriveBits" usage.
Previously, this would fail unless the "use" field was omitted. Bug: 641499 Change-Id: Iedfbc6e9ead9a5b1355e0611af8a4f0101b2cba8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2457968 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#814890}
b66c7461 · Eric Roman · Commit Bot · 113c2ebd · b66c7461 · b66c7461
Commit b66c7461 authored Oct 07, 2020 by Eric Roman Committed by Commit Bot Oct 07, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 5 deletions

components/test/data/webcrypto/ecdh.json components/test/data/webcrypto/ecdh.json +4 -2

components/webcrypto/jwk.cc components/webcrypto/jwk.cc +11 -3

No files found.
--- a/components/test/data/webcrypto/ecdh.json
+++ b/components/test/data/webcrypto/ecdh.json
@@ -390,7 +390,8 @@
    "error": "OperationError: Length specified for ECDH key derivation is too large. Maximum allowed is 528 bits"
  },

-  // The JWK has wrong usages (enc)
+  // Test derivation using a JWK that sets "use": "enc".
+  // Regression test for https://crbug.com/641499
  {
    "public_key": {
      "crv": "P-256",
@@ -408,7 +409,8 @@
      "use": "enc"
    },

-    "private_key_error": "DataError: The JWK \"use\" member was inconsistent with that specified by the Web Crypto call. The JWK usage must be a superset of those requested"
+    "length_bits": 256,
+    "derived_bytes": "163FAA3FC4815D47345C8E959F707B2F1D3537E7B2EA1DAEC23CA8D0A242CFF3"
  }
 ]

--- a/components/webcrypto/jwk.cc
+++ b/components/webcrypto/jwk.cc
@@ -37,11 +37,19 @@ namespace webcrypto {

 namespace {

-// Web Crypto equivalent usage mask for JWK 'use' = 'enc'.
+// |kJwkEncUsage| and |kJwkSigUsage| are a superset of the possible meanings of
+// JWK's {"use":"enc"}, and {"use":"sig"} respectively.
+//
+// TODO(https://crbug.com/1136147): Remove these masks,
+// as they are not consistent with the Web Crypto
+// processing model for JWK. In particular,
+// intersecting the usages after processing the JWK
+// means Chrome can fail with a Syntax error in cases
+// where the spec describes a Data error.
 const blink::WebCryptoKeyUsageMask kJwkEncUsage =
    blink::kWebCryptoKeyUsageEncrypt | blink::kWebCryptoKeyUsageDecrypt |
-    blink::kWebCryptoKeyUsageWrapKey | blink::kWebCryptoKeyUsageUnwrapKey;
-// Web Crypto equivalent usage mask for JWK 'use' = 'sig'.
+    blink::kWebCryptoKeyUsageWrapKey | blink::kWebCryptoKeyUsageUnwrapKey |
+    blink::kWebCryptoKeyUsageDeriveKey | blink::kWebCryptoKeyUsageDeriveBits;
 const blink::WebCryptoKeyUsageMask kJwkSigUsage =
    blink::kWebCryptoKeyUsageSign | blink::kWebCryptoKeyUsageVerify;